Bug in Sonar Maven plugin when dealing with system-scope-managed dependencies
848 views
Skip to first unread message
jafarre...@gmail.com
Nov 27, 2015, 4:40:17 AM11/27/15
to SonarQube
Posting again, as I unadvertedly disclosed security-sensitive information.
------------------------------------------
Hello,
I have found what seems to be a reproducible bug in sonar-maven-plugin.
Bug description:
Sonar Maven plugin execution is broken in the following scenario:
- The project has a managed dependency.
- The managed dependency is in system scope.
- The managed dependency is a transitive dependency of an actual dependency of the project.
How to reproduce:
Environment:
JDK 7u79
Maven 3.2.2
SonarQube version 4.5.6 LTS with latest compatible plugins.
MySQL 5.7.9 GA
sonar-maven-plugin version 2.7.1
Tested with other versions of Maven and Sonar plugin, but not this thoroughly.
Example POM:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>example</groupId>
<artifactId>project</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
<scope>system</scope>
<systemPath>${java.home}/lib/rt.jar</systemPath>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.codehaus.xfire</groupId>
<artifactId>xfire-core</artifactId>
<version>1.2.6</version>
</dependency>
</dependencies>
</project>
javax.activation:activation is a transitive dependency of xfire-core.
Removing the reference to ${java.home} does not help.
Execute:
mvn clean install sonar:sonar
Expected result:
Analysis completes normally.
Actual result:
Crashes with the following log:
[INFO] ------------------------------------------------------------------------
[INFO] Building project 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- sonar-maven-plugin:2.7.1:sonar (default-cli) @ project ---
[INFO] User cache: C:\Users\<user>\.sonar\cache
[INFO] SonarQube version: 4.5.6
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.794 s
[INFO] Finished at: 2015-11-26T18:42:13+01:00
[INFO] Final Memory: 12M/219M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.7.1:sonar (default-cli) on project project: Execution default-cli of goal org.codehaus.mojo:sonar-maven-plugin:2.7.1:sonar failed: An API incompatibility was encountered while executing org.codehaus.mojo:sonar-maven-plugin:2.7.1:sonar: java.lang.AbstractMethodError: org.apache.maven.shared.dependency.tree.DependencyTreeResolutionListener.manageArtifactSystemPath(Lorg/apache/maven/artifact/Artifact;Lorg/apache/maven/artifact/Artifact;)V
[ERROR] -----------------------------------------------------
[ERROR] realm = plugin>org.codehaus.mojo:sonar-maven-plugin:2.7.1
[ERROR] strategy = org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy
[ERROR] urls[0] = file:/C:/Users/<user>/.m2/repository/org/codehaus/mojo/sonar-maven-plugin/2.7.1/sonar-maven-plugin-2.7.1.jar
[ERROR] urls[1] = file:/C:/Users/<user>/.m2/repository/org/apache/maven/shared/maven-dependency-tree/2.1/maven-dependency-tree-2.1.jar
[ERROR] urls[2] = file:/C:/Users/<user>/.m2/repository/backport-util-concurrent/backport-util-concurrent/3.1/backport-util-concurrent-3.1.jar
[ERROR] urls[3] = file:/C:/Users/<user>/.m2/repository/org/codehaus/plexus/plexus-interpolation/1.11/plexus-interpolation-1.11.jar
[ERROR] urls[4] = file:/C:/Users/<user>/.m2/repository/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar
[ERROR] urls[5] = file:/C:/Users/<user>/.m2/repository/org/eclipse/aether/aether-util/0.9.0.M2/aether-util-0.9.0.M2.jar
[ERROR] urls[6] = file:/C:/Users/<user>/.m2/repository/org/sonatype/plexus/plexus-sec-dispatcher/1.4/plexus-sec-dispatcher-1.4.jar
[ERROR] urls[7] = file:/C:/Users/<user>/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.5/plexus-utils-1.5.5.jar
[ERROR] urls[8] = file:/C:/Users/<user>/.m2/repository/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar
[ERROR] urls[9] = file:/C:/Users/<user>/.m2/repository/org/sonarsource/sonar-runner/sonar-runner-api/2.5-RC1/sonar-runner-api-2.5-RC1.jar
[ERROR] urls[10] = file:/C:/Users/<user>/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
[ERROR] urls[11] = file:/C:/Users/<user>/.m2/repository/com/google/guava/guava/10.0.1/guava-10.0.1.jar
[ERROR] urls[12] = file:/C:/Users/<user>/.m2/repository/com/google/code/findbugs/jsr305/2.0.3/jsr305-2.0.3.jar
[ERROR] Number of foreign imports: 1
[ERROR] import: Entry[import from realm ClassRealm[maven.api, parent: null]]
[ERROR]
[ERROR] -----------------------------------------------------
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginContainerException
Please, find attached full debug output.
Conditions:
The conditions in the described scenario seem necessary and sufficient to reproduce the bug.
These three following examples complete the analysis normally:
1. No dependency management, though the dependency is still resolved in system scope.
<dependencies>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
<scope>system</scope>
<systemPath>${java.home}/lib/rt.jar</systemPath>
</dependency>
<dependency>
<groupId>org.codehaus.xfire</groupId>
<artifactId>xfire-core</artifactId>
<version>1.2.6</version>
</dependency>
</dependencies>
2. It is a direct dependency, not transitive.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
<scope>system</scope>
<systemPath>${java.home}/lib/rt.jar</systemPath>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
</dependency>
</dependencies>
3. The dependency is not in system scope:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
<scope>provided</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.codehaus.xfire</groupId>
<artifactId>xfire-core</artifactId>
<version>1.2.6</version>
</dependency>
</dependencies>
------------------------------------------
Hello,
I have found what seems to be a reproducible bug in sonar-maven-plugin.
Bug description:
Sonar Maven plugin execution is broken in the following scenario:
- The project has a managed dependency.
- The managed dependency is in system scope.
- The managed dependency is a transitive dependency of an actual dependency of the project.
How to reproduce:
Environment:
JDK 7u79
Maven 3.2.2
SonarQube version 4.5.6 LTS with latest compatible plugins.
MySQL 5.7.9 GA
sonar-maven-plugin version 2.7.1
Tested with other versions of Maven and Sonar plugin, but not this thoroughly.
Example POM:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>example</groupId>
<artifactId>project</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
<scope>system</scope>
<systemPath>${java.home}/lib/rt.jar</systemPath>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.codehaus.xfire</groupId>
<artifactId>xfire-core</artifactId>
<version>1.2.6</version>
</dependency>
</dependencies>
</project>
javax.activation:activation is a transitive dependency of xfire-core.
Removing the reference to ${java.home} does not help.
Execute:
mvn clean install sonar:sonar
Expected result:
Analysis completes normally.
Actual result:
Crashes with the following log:
[INFO] ------------------------------------------------------------------------
[INFO] Building project 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- sonar-maven-plugin:2.7.1:sonar (default-cli) @ project ---
[INFO] User cache: C:\Users\<user>\.sonar\cache
[INFO] SonarQube version: 4.5.6
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.794 s
[INFO] Finished at: 2015-11-26T18:42:13+01:00
[INFO] Final Memory: 12M/219M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.7.1:sonar (default-cli) on project project: Execution default-cli of goal org.codehaus.mojo:sonar-maven-plugin:2.7.1:sonar failed: An API incompatibility was encountered while executing org.codehaus.mojo:sonar-maven-plugin:2.7.1:sonar: java.lang.AbstractMethodError: org.apache.maven.shared.dependency.tree.DependencyTreeResolutionListener.manageArtifactSystemPath(Lorg/apache/maven/artifact/Artifact;Lorg/apache/maven/artifact/Artifact;)V
[ERROR] -----------------------------------------------------
[ERROR] realm = plugin>org.codehaus.mojo:sonar-maven-plugin:2.7.1
[ERROR] strategy = org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy
[ERROR] urls[0] = file:/C:/Users/<user>/.m2/repository/org/codehaus/mojo/sonar-maven-plugin/2.7.1/sonar-maven-plugin-2.7.1.jar
[ERROR] urls[1] = file:/C:/Users/<user>/.m2/repository/org/apache/maven/shared/maven-dependency-tree/2.1/maven-dependency-tree-2.1.jar
[ERROR] urls[2] = file:/C:/Users/<user>/.m2/repository/backport-util-concurrent/backport-util-concurrent/3.1/backport-util-concurrent-3.1.jar
[ERROR] urls[3] = file:/C:/Users/<user>/.m2/repository/org/codehaus/plexus/plexus-interpolation/1.11/plexus-interpolation-1.11.jar
[ERROR] urls[4] = file:/C:/Users/<user>/.m2/repository/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar
[ERROR] urls[5] = file:/C:/Users/<user>/.m2/repository/org/eclipse/aether/aether-util/0.9.0.M2/aether-util-0.9.0.M2.jar
[ERROR] urls[6] = file:/C:/Users/<user>/.m2/repository/org/sonatype/plexus/plexus-sec-dispatcher/1.4/plexus-sec-dispatcher-1.4.jar
[ERROR] urls[7] = file:/C:/Users/<user>/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.5/plexus-utils-1.5.5.jar
[ERROR] urls[8] = file:/C:/Users/<user>/.m2/repository/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar
[ERROR] urls[9] = file:/C:/Users/<user>/.m2/repository/org/sonarsource/sonar-runner/sonar-runner-api/2.5-RC1/sonar-runner-api-2.5-RC1.jar
[ERROR] urls[10] = file:/C:/Users/<user>/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
[ERROR] urls[11] = file:/C:/Users/<user>/.m2/repository/com/google/guava/guava/10.0.1/guava-10.0.1.jar
[ERROR] urls[12] = file:/C:/Users/<user>/.m2/repository/com/google/code/findbugs/jsr305/2.0.3/jsr305-2.0.3.jar
[ERROR] Number of foreign imports: 1
[ERROR] import: Entry[import from realm ClassRealm[maven.api, parent: null]]
[ERROR]
[ERROR] -----------------------------------------------------
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginContainerException
Please, find attached full debug output.
Conditions:
The conditions in the described scenario seem necessary and sufficient to reproduce the bug.
These three following examples complete the analysis normally:
1. No dependency management, though the dependency is still resolved in system scope.
<dependencies>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
<scope>system</scope>
<systemPath>${java.home}/lib/rt.jar</systemPath>
</dependency>
<dependency>
<groupId>org.codehaus.xfire</groupId>
<artifactId>xfire-core</artifactId>
<version>1.2.6</version>
</dependency>
</dependencies>
2. It is a direct dependency, not transitive.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
<scope>system</scope>
<systemPath>${java.home}/lib/rt.jar</systemPath>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
</dependency>
</dependencies>
3. The dependency is not in system scope:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
<scope>provided</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.codehaus.xfire</groupId>
<artifactId>xfire-core</artifactId>
<version>1.2.6</version>
</dependency>
</dependencies>
Duarte Meneses
Nov 30, 2015, 3:18:53 AM11/30/15
to SonarQube
Hi,
Thanks for the detailed report.
I was able to reproduce the bug. A ticket exists for the issue: https://jira.sonarsource.com/projects/MSONAR/issues/MSONAR-135
BR
Thanks for the detailed report.
I was able to reproduce the bug. A ticket exists for the issue: https://jira.sonarsource.com/projects/MSONAR/issues/MSONAR-135
BR
soma.sr...@gmail.com
Oct 4, 2016, 11:09:24 AM10/4/16
to SonarQube
I came across this issue before what fixes for me is instead of calling mvn sonar:sonar
i used mvn -D sonar.host.url = http url
-D sonar.jdbc.url = jdbc
you can find those url's from the sonar properties in pom.xml
Reply all
Reply to author
Forward
0 new messages